"Barracuda Zero-Day Exploited by Chinese Actor"

A zero-day vulnerability in the Barracuda Email Security Gateway (ESG) discovered in late May has been exploited in a Chinese espionage campaign since October 2022, according to security researchers at Mandiant.  The researchers noted that new threat actor UNC4841 began sending phishing emails as far back as October 10 last year.  The researchers stated that these malicious emails contained file attachments designed to exploit the Barracuda bug CVE-2023-2868 to gain initial access to vulnerable appliances.  Once a foothold had been established, the group used Saltwater, Seaside, and Seaspray malware to maintain a presence on the devices by masquerading as legitimate Barracuda ESG modules or services.  The researchers noted that post-initial compromise, they observed UNC4841 aggressively target specific data of interest for exfiltration and, in some cases, leverage access to an ESG appliance to conduct lateral movement into the victim network or to send mail to other victim appliances.  The researchers also observed UNC4841 deploy additional tooling to maintain a presence on ESG appliances.  Barracuda discovered the campaign on May 19 and released patches to contain and remediate the threat two days later.  However, the threat group switched malware and deployed new persistence mechanisms to maintain access.  The researchers noted that between May 22 and 24, UNC4841 targeted victims in 16 countries with “high frequency” operations, prompting Barracuda to take the unusual step of urging customers to isolate and replace their appliances, whatever their patch status.  The researchers stated that UNC4841 has shown to be highly responsive to defensive efforts and actively modifies TTPs to maintain their operations.  

Infosecurity reports: "Barracuda Zero-Day Exploited by Chinese Actor"